704b9767400c6532381c0b2333695c1769dd2afc5b0c897fbfd144d0b03a9b34

General

Target

704b9767400c6532381c0b2333695c1769dd2afc5b0c897fbfd144d0b03a9b34.exe
Size

16KB
MD5

a4f3ae38d73b5231ad6d10e68c0fdae9
SHA1

b0774566fac5799412c6538918491c10d284b767
SHA256

704b9767400c6532381c0b2333695c1769dd2afc5b0c897fbfd144d0b03a9b34
SHA512

77754d5f2e056173a443d6e803229f0433e65d8e6951f5b3670d3a0c5596818f33ea7b576ef2f2969ec55bee6c525d257309ec022619051cd5d7706ed3d8e06b
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/Ty8X:hDXWipuE+K3/SSHgxm/TR

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEMA515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	704b9767400c6532381c0b2333695c1769dd2afc5b0c897fbfd144d0b03a9b34.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEMA1FD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEMF8B8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DEM4F54.exe

Executes dropped EXE 5 IoCs

pid	Process
2100	DEMA1FD.exe
4008	DEMF8B8.exe
4760	DEM4F54.exe
4648	DEMA515.exe
3576	DEMFAD6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA1FD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMF8B8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEM4F54.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMA515.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEMFAD6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	704b9767400c6532381c0b2333695c1769dd2afc5b0c897fbfd144d0b03a9b34.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2100	1356	704b9767400c6532381c0b2333695c1769dd2afc5b0c897fbfd144d0b03a9b34.exe	90
PID 1356 wrote to memory of 2100	1356	704b9767400c6532381c0b2333695c1769dd2afc5b0c897fbfd144d0b03a9b34.exe	90
PID 1356 wrote to memory of 2100	1356	704b9767400c6532381c0b2333695c1769dd2afc5b0c897fbfd144d0b03a9b34.exe	90
PID 2100 wrote to memory of 4008	2100	DEMA1FD.exe	94
PID 2100 wrote to memory of 4008	2100	DEMA1FD.exe	94
PID 2100 wrote to memory of 4008	2100	DEMA1FD.exe	94
PID 4008 wrote to memory of 4760	4008	DEMF8B8.exe	96
PID 4008 wrote to memory of 4760	4008	DEMF8B8.exe	96
PID 4008 wrote to memory of 4760	4008	DEMF8B8.exe	96
PID 4760 wrote to memory of 4648	4760	DEM4F54.exe	98
PID 4760 wrote to memory of 4648	4760	DEM4F54.exe	98
PID 4760 wrote to memory of 4648	4760	DEM4F54.exe	98
PID 4648 wrote to memory of 3576	4648	DEMA515.exe	100
PID 4648 wrote to memory of 3576	4648	DEMA515.exe	100
PID 4648 wrote to memory of 3576	4648	DEMA515.exe	100

C:\Users\Admin\AppData\Local\Temp\704b9767400c6532381c0b2333695c1769dd2afc5b0c897fbfd144d0b03a9b34.exe
"C:\Users\Admin\AppData\Local\Temp\704b9767400c6532381c0b2333695c1769dd2afc5b0c897fbfd144d0b03a9b34.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\DEMA1FD.exe
  "C:\Users\Admin\AppData\Local\Temp\DEMA1FD.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\DEMF8B8.exe
    "C:\Users\Admin\AppData\Local\Temp\DEMF8B8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Users\Admin\AppData\Local\Temp\DEM4F54.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM4F54.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4760
    - - C:\Users\Admin\AppData\Local\Temp\DEMA515.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMA515.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4648
      - C:\Users\Admin\AppData\Local\Temp\DEMFAD6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMFAD6.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM4F54.exe

Filesize
16KB

MD5
8cfb350d10c694bbe57c3fc695b408d3

SHA1
6962fde242d2793dca8edaaa4a98bbefab34b4df

SHA256
418c94a60f6a94113cad9ef92722101cb8f8a93df7b43fadcdefcb29c3ce6c0e

SHA512
1dd645245803829e23c3ba902dcc0e3b60479e88c746a51d1ff5bc047441aa914ce0078aa6a7983e0a2ffcebcea22e7d34bbb211f843b4c4e7bfd55cb9e18ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA1FD.exe

Filesize
16KB

MD5
06d424a584d99bc7801fe7d750ca493f

SHA1
0db01dd18b5d43dee8a85c15158ac23271bf817e

SHA256
8fd79486988b355adfc1328602441817a35dee2107783914fd177b2a1fde5b6f

SHA512
fa7af5eaa086e18804cff471c2df195bb9eccfb64b3caf73c2f4e311eccc07fcb3d9165c92090a6a8acce6d37274b4b7f5d8a18105d834c997ac04d546d1bc71

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMA515.exe

Filesize
16KB

MD5
9b85077f7b161bc59998c65227ccf9cd

SHA1
9607cdc81207a81e0049b904d840151d3aa81c3b

SHA256
c73534c7e5454c0297ce1309079cf01405387acfe13a8b0b0f674bb1e4907b30

SHA512
d50ad9cedb271954849ad721082ad3228d54ca0ec18a8468004b7625a6a24fa92f66bf068af41d785b6cdecab64bbcadc56cfa944e9de68a9e20dac78482b6cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMF8B8.exe

Filesize
16KB

MD5
0808cf07edfbc2e163332454a65fd003

SHA1
3f054528092e2eeffb4308bce3e10eb25ce7c00f

SHA256
483e17154a46db55f87ded08ed89b9ffcb8683305e63e6e5b3986e6b4326039f

SHA512
28c992e8701a00b99da2317e3907ede2b8fcc1fa130a84c7af4cc4c22cc196fae2138cf29073bffb9f9f05dd14ae92e3d1c0888e21e46fe2fd90fd7124cde343

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEMFAD6.exe

Filesize
16KB

MD5
2bab71f67562a1e74da8d907072c442a

SHA1
9a84cd63175759e3777c082de62847b2914f6f3c

SHA256
414ffe74ede0f12d6ee1eeef652cf3b0b1c0b62595d67b4a0f6dbdca7188fa4e

SHA512
92cda2f0896b37261c4905ca39ccd567f0340203f4e721dea6175a3c4b59d63fb85a21e43c87171f69bc3c81f8b41c2f4ef9ac7b74f187691043f1f5a99fc9a4

Download Submit

Analysis

Sharing